Merge branch 'master' of github.com:pegasystems/pega-helm-charts

.github/workflows/github-actions-build.yml

@@ -22,6 +22,14 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  run-supplemental-validation-job:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Run validate supplementals script
+        run : |
+          sh validate_supplementals.sh
   run-lint-job:
     runs-on: ubuntu-20.04
     steps:
@@ -53,9 +61,7 @@ jobs:
 
       - name: run helm lint
         run: |
-          helm lint --with-subcharts --values lint/values.yml --strict charts/addons
-          helm lint --with-subcharts --values lint/values.yml --strict charts/backingservices
-          helm lint --with-subcharts --values lint/values.yml --strict charts/pega
+          sh helmlint.sh
       
       - name: Install xml lint
         run: |  

.github/workflows/mend-scan.yml

@@ -0,0 +1,54 @@
+# Reference: https://github.com/mend-toolkit/mend-examples/blob/main/Unified%20Agent/CI-CD/GitHub.yml
+
+name: Mend Unified Agent Release Scan
+on: 
+  workflow_dispatch:
+  push:
+   branches:
+   - 'master'
+jobs:
+  mendscan:
+    env:
+      WS_APIKEY: ${{secrets.MEND_APIKEY}}
+      WS_USERKEY: ${{secrets.MEND_USERKEY}}
+      WS_WSS_URL: ${{secrets.MEND_WS_WSS_URL}}
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up JDK
+      uses: actions/setup-java@v2
+      with:
+        java-version: '11'
+        distribution: 'adopt'
+    # - name: Build with Gradle
+    #   run: ./gradlew -Prelease.useLastTag=false clean build
+    - name: Mend Unified Agent Scan
+      env:
+        WS_PRODUCTNAME: ${{vars.MEND_PRODUCT_NAME}}
+        WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}}
+        WS_GENERATEPROJECTDETAILSJSON: true
+        WS_GRADLE_ADDITIONALARGUMENTS: -Prelease.useLastTag=false
+      run: |
+        echo Downloading Mend Unified Agent
+        curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
+        if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then
+          echo "Integrity Check Failed"
+        else
+          echo "Integrity Check Passed"
+          echo Starting Unified Agent Scan
+          java -jar wss-unified-agent.jar
+        fi
+    - name: 'Upload WhiteSource folder'
+      uses: actions/upload-artifact@v2
+      with:
+        name: Mend
+        path: whitesource
+        retention-days: 14
+    - name: 'Upload Mend folder if failure'
+      uses: actions/upload-artifact@v2
+      if: failure()
+      with:
+        name: Mend
+        path: whitesource
+        retention-days: 14

Jenkinsfile

@@ -38,7 +38,7 @@ node {
             sh "helm package --version ${chartVersion} ./charts/pega/"
             sh "helm package --version ${chartVersion} ./charts/addons/"
             sh "helm package --version ${chartVersion} ./charts/backingservices/"
-            sh "tar -czvf ${deployConfigsFileName} --directory=./charts/pega/config deploy/context.xml.tmpl deploy/server.xml.tmpl deploy/prconfig.xml deploy/prlog4j2.xml"
+            sh "tar -czvf ${deployConfigsFileName} --directory=./charts/pega/config deploy/context.xml.tmpl deploy/server.xml.tmpl deploy/prconfig.xml deploy/prlog4j2.xml deploy/java.security.overwrite deploy/catalina.properties deploy/tomcat-web.xml"
             sh "mkdir -p ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/migrateSystem.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prbootstrap.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prconfig.xml.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prlog4j2.xml ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prpcUtils.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/setupDatabase.properties.tmpl ./charts/pega/charts/installer/config/installer && tar -czvf ${installerConfigsFileName} --directory=./charts/pega/charts/installer/config installer/migrateSystem.properties.tmpl installer/prbootstrap.properties.tmpl installer/prconfig.xml.tmpl installer/prlog4j2.xml installer/prpcUtils.properties.tmpl installer/setupDatabase.properties.tmpl"
 
             // Publish helm charts to test-automation GitHub Pages

README.md

@@ -191,3 +191,10 @@ New versions of this Helm Chart may be released at any time. Versions are define
 * Patch: Pega fixes bugs and maintains backwards compatibility between minor releases. Examples:
   * Bug fixes or known issue resolutions.
   * Security vulnerability enhancements.
+
+## Helm charts and Docker images compatibility
+
+Both Helm charts and Docker images undergo frequent updates; new Helm chart releases may appear at any time, and the latest patch versions of the Docker images are rebuilt nightly as part of software maintenance (for more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform-88/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html)). This might result in incompatibility issues during the install and upgrade process. To ensure that Helm charts and Docker images are compatible, do one of the following actions:
+
+* If you update your Helm charts to the latest version to take advantage of new features, update your Docker images to the latest version as well (latest build of the latest patch).
+* If you upgrade your Pega Platform to a later version, use the latest Docker image build and latest Helm chart version.

before_deploy.sh

@@ -25,7 +25,7 @@ ls
 helm package --version ${CHART_VERSION} ./charts/pega/
 helm package --version ${CHART_VERSION} ./charts/addons/
 helm package --version ${CHART_VERSION} ./charts/backingservices/
-tar -czvf ${DEPLOY_CONFIGURATIONS_FILE_NAME} --directory=./charts/pega/config deploy/context.xml.tmpl deploy/server.xml.tmpl deploy/prconfig.xml deploy/prlog4j2.xml
+tar -czvf ${DEPLOY_CONFIGURATIONS_FILE_NAME} --directory=./charts/pega/config deploy/context.xml.tmpl deploy/server.xml.tmpl deploy/prconfig.xml deploy/prlog4j2.xml deploy/java.security.overwrite deploy/catalina.properties deploy/tomcat-web.xml
 mkdir -p ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/migrateSystem.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prbootstrap.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prconfig.xml.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prlog4j2.xml ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/prpcUtils.properties.tmpl ./charts/pega/charts/installer/config/installer && cp ./charts/pega/charts/installer/config/setupDatabase.properties.tmpl ./charts/pega/charts/installer/config/installer && tar -czvf ${INSTALLER_CONFIGURATIONS_FILE_NAME} --directory=./charts/pega/charts/installer/config installer/migrateSystem.properties.tmpl installer/prbootstrap.properties.tmpl installer/prconfig.xml.tmpl installer/prlog4j2.xml installer/prpcUtils.properties.tmpl installer/setupDatabase.properties.tmpl
 # and merge it
-helm repo index --merge index.yaml --url https://pegasystems.github.io/pega-helm-charts/ .
+helm repo index --merge index.yaml --url https://pegasystems.github.io/pega-helm-charts/ .

charts/backingservices/charts/constellation/templates/clln-deployment.yaml

@@ -1,6 +1,4 @@
-#Deploy only when the constellation flag has been enabled in the values yaml.
-{{ if and .Values.enabled (eq .Values.enabled true) }}
-
+{{- if .Values.enabled }}
 kind: Deployment
 apiVersion: apps/v1
 metadata:
@@ -24,7 +22,7 @@ spec:
         image: {{ .Values.docker.constellation.image }}
         args:
         - port=3000
-        # constellation URL path, if you change it, you need to change ingress template files too 
+        # constellation URL path, if you change it, you need to change ingress template files too
         - urlPath=/c11n
         - logLevel={{ .Values.logLevel }}
         livenessProbe:
@@ -47,4 +45,4 @@ spec:
             port: 3000
         ports:
         - containerPort: 3000
-{{ end }}
+{{ end }}

charts/backingservices/charts/constellation/templates/clln-ingress.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -24,4 +25,5 @@ spec:
           service:
             name: constellation
             port:
-              number: 3000
+              number: 3000
+{{ end }}

charts/backingservices/charts/constellation/templates/clln-service.yaml

@@ -1,5 +1,4 @@
-#Deploy only when the constellation flag has been enabled in the values yaml.
-{{ if and .Values.enabled (eq .Values.enabled true) }}
+{{- if .Values.enabled }}
 apiVersion: v1
 kind: Service
 metadata:

charts/backingservices/charts/constellation/templates/pega-registry-secret.yaml

@@ -1 +1,3 @@
-{{- include "pegaRegistryCredentialsSecretTemplate" . }}
+{{- if .Values.enabled }}
+{{- include "pegaRegistryCredentialsSecretTemplate" . }}
+{{ end }}

charts/backingservices/charts/srs/README.md

@@ -57,7 +57,8 @@ To deploy Pega Platform with the SRS backing service, the SRS helm chart require
 | `deploymentName`                        | Specify the name of your SRS cluster. Your deployment creates resources prefixed with this string. This is also the service name for the SRS.                                                                                                                                                                                                                                                                                                                                                          |
 | `srsRuntime`                            | Use this section to define specific resource configuration options like image, replica count, cpu and memory resource settings in the SRS.                                                                                                                                                                                                                                                                                                                                                             |
 | `busybox`                               | When provisioning an internally managed Elasticsearch cluster, you can customize the location and pull policy of the Alpine image used during the deployment process by specifying `busybox.image` and `busybox.imagePullPolicy`.                                                                                                                                                                                                                                                                      |
-| `elasticsearch`                         | Define the elasticsearch cluster configurations. The [Elasticsearch](https://github.com/helm/charts/tree/master/stable/elasticsearch/values.yaml) chart defines the values for Elasticsearch provisioning in the SRS cluster. For internally provisioned Elasticsearch the default version is set to `7.10.2`. Set the `elasticsearch.imageTag` parameter in values.yaml to `7.16.3` to use this supported version in the SRS cluster.                                                                 |
+| `elasticsearch`                         | Define the elasticsearch cluster configurations. The [Elasticsearch](https://github.com/helm/charts/tree/master/stable/elasticsearch/values.yaml) chart defines the values for Elasticsearch provisioning in the SRS cluster. For internally provisioned Elasticsearch the default version is set to `7.10.2`. Set the `elasticsearch.imageTag` parameter in values.yaml to `7.16.3` to use this supported version in the SRS cluster.                                                                |
+| `k8sProvider`                               | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`].. 
 
 ### Enabling security between SRS and Elasticsearch
 To configure a secure connection between the SRS cluster and Elasticsearch, add the following the settings in your backingservices configuration file to reflect your organization's connectivity setup.

charts/backingservices/charts/srs/templates/_helpers.tpl

@@ -185,24 +185,35 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Network policy: kube-dns
+Network policy: `openshift-dns` for openshift cluster, `kube-dns | core-dns` for other supported providers.
 */}}
-{{- define "srs.netpol.kube-dns" -}}
-- namespaceSelector:
-    matchLabels:
-      name: kube-system
-- podSelector:
-    matchExpressions:
-      - key: k8s-app
-        operator: In
-        values: ["kube-dns", "coredns"]
-ports:
-- protocol: TCP
-  port: 53
-- protocol: TCP
-  port: 1053
-- protocol: TCP
-  port: 80
-- protocol: TCP
-  port: 8080
+{{- define "srs.dns" -}}
+{{ if eq .Values.global.k8sProvider "openshift" }}
+- to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+  ports:
+    - protocol: UDP
+      port: 5353
+{{ else }}
+- to:
+    - namespaceSelector:
+        matchLabels:
+          name: kube-system
+    - podSelector:
+        matchExpressions:
+          - key: k8s-app
+            operator: In
+            values: ["kube-dns", "coredns"]
+  ports:
+    - protocol: TCP
+      port: 53
+    - protocol: TCP
+      port: 1053
+    - protocol: TCP
+      port: 80
+    - protocol: TCP
+      port: 8080
+{{- end -}}
 {{- end -}}

charts/backingservices/charts/srs/templates/srsservice_deployment.yaml

@@ -103,13 +103,13 @@ spec:
         imagePullPolicy: {{ .Values.busybox.imagePullPolicy }}
     {{- if .Values.srsStorage.tls.enabled }}
         args:
-          - until $(wget -q -S --spider --timeout=2 -O /dev/null $ELASTICSEARCH_PROTO://$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD@$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT --no-check-certificate); do echo Waiting for Elasticsearch cluster to become live...; sleep 10; done;
+          - until $(wget -q -S --spider --timeout=2 -O /dev/null $ELASTICSEARCH_PROTO://$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD@$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT --no-check-certificate); do nslookup -type=ns $ELASTICSEARCH_HOST && echo Waiting for Elasticsearch cluster to become live...; sleep 10; done;
         command:
           - sh
           - -c
   {{ else }}
         args:
-          - until $(wget -q -S --spider --timeout=2 -O /dev/null $ELASTICSEARCH_PROTO://$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD@$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT ); do echo Waiting for Elasticsearch cluster to become live...; sleep 10; done;
+          - until $(wget -q -S --spider --timeout=2 -O /dev/null $ELASTICSEARCH_PROTO://$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD@$ELASTICSEARCH_HOST:$ELASTICSEARCH_PORT ); do nslookup -type=ns $ELASTICSEARCH_HOST && echo Waiting for Elasticsearch cluster to become live...; sleep 10; done;
         command:
           - sh
           - -c

charts/backingservices/charts/srs/templates/srsservice_networkpolicy.yaml

@@ -35,8 +35,7 @@ spec:
     ports:
     - protocol: TCP
       port: 9200
-  - to:
-{{ include "srs.netpol.kube-dns" . | indent 4 }}
+{{ include "srs.dns" . | indent 2 }}
   {{ if and (.Values.srsStorage.requireInternetAccess) (not .Values.srsStorage.provisionInternalESCluster) -}}
   - to:
     - podSelector:

charts/backingservices/values.yaml

@@ -4,6 +4,8 @@ global:
     registry: "YOUR_DOCKER_REGISTRY"
     username: "YOUR_DOCKER_REGISTRY_USERNAME"
     password: "YOUR_DOCKER_REGISTRY_PASSWORD"
+  # Specify the value of your Kubernetes provider
+  k8sProvider: "YOUR_KUBERNETES_PROVIDER"
 
 # Search and Reporting Service (SRS) Configuration
 srs:
@@ -69,6 +71,8 @@ srs:
     # set the requireInternetAccess parameter to "true".
     requireInternetAccess: false
 
+constellation:
+  enabled: false
 
 # This section specifies the configuration for deploying an internal elasticsearch cluster for use with SRS.
 # The configuration for rest of the values defined under 'elasticsearch' are to define the elasticsearch cluster

charts/pega/KafkaClusterRequirement.md

@@ -7,7 +7,7 @@ Pega supports Client-managed cloud clients to configure an externalized Kafka co
 Pega Platform deployments using Pega-provided Helm charts starting at version 2.2 or later provide Pega Helm chart settings that allow you to configure the connection and authentication details required by your organization's Kafka service infrastructure. These latest, Kafka-specific Pega Helm chart enhancements provide a scalable Kafka configuration for your Pega applications running in your preferred Kubernetes environment while offering great flexibility in connecting to a Kafka service infrastructure using your company's preferred streaming policy and security profiles. To manage your externalized Kafka configuration in your deployment see [Kafka Helm charts](https://github.com/bitnami/charts/tree/master/bitnami/kafka).
 
 #### Version
-Pega recommends Apache Kafka versions 2.3.1 or later (Verified version 3.2.1)
+Use Apache Kafka version 3.4.0 or earlier for your Kafka service cluster.
 
 ### Configuration